diff options
| author | Jay Faulkner <jay@jvf.cc> | 2015-02-03 17:45:50 -0800 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2015-02-04 13:34:46 +0100 |
| commit | d0a0ccf3fecdb422d3fb7ab89646fe9042f11acd (patch) | |
| tree | bcf30e2e588e220bafd1adc480e36485fbb5bad6 /src/nspawn | |
| parent | 057255fbbf2ecb1c46e025b04087fa9340d9880d (diff) | |
nspawn: Allow module loading if CAP_SYS_MODULE is requested
nspawn containers currently block module loading in all cases, with
no option to disable it. This allows an admin, specifically setting
capability=CAP_SYS_MODULE or capability=all to load modules.
Diffstat (limited to 'src/nspawn')
| -rw-r--r-- | src/nspawn/nspawn.c | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 1e6e7bf30..fb672510b 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2485,15 +2485,18 @@ static int setup_seccomp(void) { static const int blacklist[] = { SCMP_SYS(kexec_load), SCMP_SYS(open_by_handle_at), - SCMP_SYS(init_module), - SCMP_SYS(finit_module), - SCMP_SYS(delete_module), SCMP_SYS(iopl), SCMP_SYS(ioperm), SCMP_SYS(swapon), SCMP_SYS(swapoff), }; + static const int kmod_blacklist[] = { + SCMP_SYS(init_module), + SCMP_SYS(finit_module), + SCMP_SYS(delete_module), + }; + scmp_filter_ctx seccomp; unsigned i; int r; @@ -2518,6 +2521,20 @@ static int setup_seccomp(void) { } } + /* If the CAP_SYS_MODULE capability is not requested then + * we'll block the kmod syscalls too */ + if (!(arg_retain & (1ULL << CAP_SYS_MODULE))) { + for (i = 0; i < ELEMENTSOF(kmod_blacklist); i++) { + r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), kmod_blacklist[i], 0); + if (r == -EFAULT) + continue; /* unknown syscall */ + if (r < 0) { + log_error_errno(r, "Failed to block syscall: %m"); + goto finish; + } + } + } + /* Audit is broken in containers, much of the userspace audit hookup will fail if running inside a container. We don't |